CruSec’s 2019 CISSP Study Guide - Domain 1: Security and Risk Management
Domain 1: Security and Risk Management
1.1 Understand and apply concepts of confidentiality, integrity and availability
CIA Triad –
Confidentiality – Resources are restricted from unauthorized subjects. Data must be protected in storage, process and transit. Unauthorized disclosure can result from human error.
Integrity – Assures data has not been modified/tampered with
Prevents unauthorized subjects from making modifications
Prevent authorized subjects from making mistakes
Example includes Enron, where senior management were modifying accounting data to fool investors, resulting in the creation of SOx
Availability – services are available when needed by authorized subjects. Cyber threats target Availability more frequently than Confidentiality or Integrity.
Opposite of CIA is DAD – disclosure, alteration and destruction
1.2 Evaluate and apply security governance principles
Security Governance Principles – goal is to maintain business processes. IT security goals support the business goals (compliance, guidelines, etc). You shouldn’t be looking for the best technical answer, but the answer that best supports the business.
Top-Down approach is ideal. Upper management should always be involved. If you see anything referring to a bottom-up approach, it’s wrong.
Understand the difference between subjects and objects
Subjects – active entity on a system. Normally people. Programs can be subjects as well, such as a script updating files
Object – passive data on a system
SUBJECTS DO STUFF TO OBJECTS. Do not be thrown off – an application actively running in memory is a subject. If it’s not running, it is an object
Frameworks help avoid building IT security in a vacuum or without considering important concepts
Can be regulations, non-regulation, industry-specific, national, international
COBIT is an example. Set of best practices from ISACA. Five key principles. Focuses on WHAT you’re trying to achieve. Also serves as a guideline for auditors:
Principle 1 – Meeting Stakeholder needs
Principle 2 – Covering the enterprise end-to-end
Principle 3 – Applying a single, integrated framework
Principle 4 – Enabling a holistic approach
Principle 5 – Separating governance from management
ITIL is the de facto standard for IT service management. How you’re trying to achieve something
ISO 27000 series. Started as a British standard.
27005 refers to risk management
27799 refers to personal health info (PHI)
OCTAVE – self directed risk assessments
Senior leadership is always ultimately liable
That does not mean you are not liable as well; you may be, and that depends on Due Care
Auditing is a form of due care
Due Diligence vs Due Care
Due Diligence – the thought, planning or research put into the security architecture of your organization. This would also include developing best practices and common protection mechanisms, and researching new systems before implementing them
Due Care – is an action. It follows the Prudent Person Rule which begs the question “what would a prudent person do in this situation?” This includes patching systems, fixing issues, reporting, etc in a timely fashion.
Negligence is the opposite of due care. If you did not perform due care to ensure a control isn’t compromised, you are liable
1.3 Determine compliance requirements
SOX – response to ENRON scandal. Compliance mandates for publicly traded companies and ensures financial disclosure. Failure to comply can lead to stiff fines and jail time for executives
HIPAA – seeks to guard Protected Health Info (PHI). Applies to “covered entities” (healthcare providers, health plans, clearinghouses).
HITECH Act of 2009 makes HIPAA’s provisions apply to business associates of covered entities (lawyers, accountants, etc)
Any PII associated with healthcare is Personal Health Info (PHI)
GLBA – forces financial institutions to protect customer financial info. Must notify customers of breaches
Computer Fraud and Abuse Act (CFAA) – protects government computers used for interstate commerce. It’s a crime to exceed your authorization to use such a computer
There are six types of computer crimes (not necessarily defined by CFAA. Need to know the motives, which are obvious based on the name of the attack):
Federal Privacy Act
Electronic Communications Privacy Act (ECPA) – protected against warrantless wiretapping
Patriot Act of 2001 expanded law enforcement electronic monitoring capabilities.
Communications Assistance to Law Enforcement Act (CALEA) requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order.
PCI DSS – not a law. Self-regulation by major vendors. Mandates controls to protect cardholder data.
Computer Security Act – required US federal agencies to ID computers that contain sensitive info. They must then develop security policies for each system and conduct training for individuals involved with those systems.
California Senate Bill 1386 – one of the first US state-level laws related to breach notification. Required organizations experiencing data breaches to inform customers
1.4 Understand legal and regulatory issues that pertain to information security in a global context
EU Data Protection Directive – very pro privacy. Organizations must notify individuals regarding how their data is gathered and used. Must allow an opt-out option for sharing with 3rd parties. Opt-In is required for “most sensitive” data. Transmission of data outside of EU is not allowed unless recipients have equal privacy protections. US does NOT meet this standard. Safe Harbor is an optional agreement between the organization and the EU, where the organization must voluntarily consent to data privacy principles that are consistent with this.
EU Court of Justice overturned the Safe Harbor agreement in 2015. In 2016 the EU Commission and US Department of Commerce established the EU-US Privacy Shield, a new legal framework for transatlantic data transmission which replaced Safe Harbor
General Data Protection Regulation – went into effect in 2018 which replaced the above restrictions.
Applies to all organizations worldwide that offer services to EU customers
Extends concept of PII to photos/videos/social media posts, financial transactions, location data, browsing history, login credentials, and device identifiers
Data collection, retention and sharing must be minimized exclusively for the intended purpose.
Data breach requires notification within 72 hours of discovery
Organizations that deal with personal data on a large scale must appoint a Data Protection Officer to their boards
Focus of controls are on encryption and pseudonymization, which is the process of replacing some data elements with pseudonyms and makes it more difficult to identify individuals.
Wassenaar Arrangement – export/import controls for conventional arms and dual-use goods and technologies. Cryptography is considered “dual use” This includes countries like Iran, Iraq, China and Russia who want to spy on their citizens, and so they don’t import overly strong cryptography technologies. US is not included in this. Companies like Google have to make country-specific technology because of this
Digital Millenium Copyright Act of 1998 - prohibits the circumvention of copy protection mechanisms placed in digital media, and relieves ISP of liability for activities of users
Intellectual Property Protections:
Trademark – names, slogans and logos that identify a company/product. Cannot be confusingly similar to any trademarks. They are good for 10 years, but can be renewed indefinitely.
Patent – Has to be registered with the US Patent office, which is public information. Many companies avoid this, such as 3M. A patent is good for 20 years, and is considered the shortest of all intellectual property protections.
Copyright – Creative content such as songs, book and software code. It requires disclosure of the product and expires 70 years after the death of the author.
Licenses – End-User License Agreement (EULA) is a good example
Trade Secrets – KFC’s special seasoning, coca-cola’s formula,, etc. Protected by NDAs (non-disclosure agreement) and NCAs (non-compete agreements). These are the best options for organizations that do not want to disclose any information about their products. Trade Secrets have no expiration.
Intellectual Property Attacks:
Corporate espionage – when competitors attempt to ex-filtrate information from a company, often using an employee.
Economic Espionage Act of 1996 – provides penalties for individuals found guilty of the theft of trade secrets. Harsher penalties if the offender is attempting to aid foreign governements.
Digital Rights Management is any solution that allows content owners to enforce any of the above restrictions on music, movies, etc
1.5 Understand, adhere to, and promote professional ethics
ISC2 Code of Ethics (RFC 1087)
Protect society, the commonwealth and the infrastructure
Act honorably, honestly,, justly, responsibly and legally
Provide diligent and competent service to principals
Advance and protect the profession
Be familiar with the order of the canons which are applied in order. If there is any ethical dilemma, you must follow the order. Protecting society is more important than protecting the profession,, for example.
1.6 Develop, document, and implement security policy, standards, procedures and guidelines
Security Policies - These are the highest level and are mandatory. Everything about an organization’s security posture will be based around this. Specifyies auditing/compliance requirements and acceptable risk levels. Used as proof that senior management has exercised due care. Mandatory that it is followed.
Wouldn’t use terms like Linux or Windows. That’s too low level. It would refer to these things as “systems”
Should be reviewed yearly or after major business changes, and dated with version number
Standards – mandatory actions and rules. Describes specific technologies.
Baselines – represents a minimum level of security. Often refer to industry standards like TCSEC and NIST
Somewhat discretionary in the sense that security can be greater than your baseline, but doesn’t need to be.
Guidelines – Simply guide the implementation of the security policy and standard. These are not mandatory.
Procedures – very detailed step-by-step instructions. These are mandatory. Specific to system and software. Must be updated as hardware and software evolves.
1.7 Identify, analyze and prioritize Business Continuity requirements
Strategic Plan – Long term (5 years). Goals and visions for the future. Risk assessments fall under this
Tactical Plan – useful for about a year. Projects, hiring, budget etc
Operational Plan – short term (month or quarter). Highly detailed, more step-by step.
1.8 Contribute to and enforce personnel security policies and procedures
1.9 Understand and apply risk management concepts
Businesses don’t care about information security, they care about business. Security is concerned with managing the risks to a business
Risk Management Concepts:
Risk = Threat x Vulnerability
Assets – valuable resources to protect. People are always the most important assets
Vulnerability – a weakness
Threat - potentially harmful occurrence
Impact takes into account the damage in terms of dollar amounts. Human life is considered infinite impact.
Risk Analysis Types:
Risk analysis types:
Quantitative – uses hard metrics, like dollars. Normally done to know where to focus qualitative analysis. Primary focus is determining what takes priority.
How likely is this to happen, and how bad would it be?
EF and ARO will typically be described as a percentage. If a laptop is lost or stolen, the EF would be 100%. But it’s possible for a fire to damage only 25% of a warehouse. Likewise, a flood may only be anticipated once in every 100 years, making the ARO .01 or 1%
Steps in Qualitative Analysis
Determine worth of an asset, including how much money it generates, value to competitors, legal liabilities, etc. Assign a dollar amount value
Asset Value (AV)
Evaluate loss potential caused by an instance of damage. You will determine your Exposure Factor and then calculate your SLE by multiplying the AV by EF (SLE = AV x EF)
Loss of productivity
Determine the likelihood of an incident occurring. Here we will be calculating the ARO.
Derived from historical data, statistical data, etc
Quick ARO Cheat Sheet:
1-in-4 = .25
1-in-10 = .1
1-in-20 = .05
1-in-50 = .02
1-in-200 = .005
1-in-500 = .002
Determine the ALE by multiplying SLE by ARO (ALE = SLE x ARO), OR (ALE = AV x EF x ARO)
Determine course of action:
Reduce risk – use controls to mitigate risk and reduce ARO or EF
Transfer/Assign risk – often done by purchasing insurance. You’d have to calculate if it makes sense financially. Could also mean outsourcing to a third party.
Avoid risk – very simply avoiding whatever would be introducing the risk
Accept risk – Usually done if an asset costs less than any controls required to protect it (See Safeguard Evaluation). Should be documented reasoning for accepting risk. All other options should be considered beforehand.
Risk left over after applying countermeasures is Residual Risk. Total Risk is the risk a company faces if they accept risk. The difference between the two is Control Gap.
Total risk – controls gap = residual risk
TCO – total cost of ownership of countermeasures. If TCO is lower than ALE, you have a positive Return on Investment (ROI)
Uses more approximate values or measurements, such as HIGH/MED/LOW
Based more on softer metrics such as opinions, rather than numbers and historical data
Qualitative techniques and methods include brainstorming, focus groups, checklists, Delphi Technique, etc.
Delphi Technique – anonymous surveys. Issuer can’t see identity of who made statements
ALE (before safeguard) – ALE (after implementing safeguard) – annual cost of safeguard = value to the company
The value should not be negative. If it is, the cost of protecting an asset is more than the asset itself.
1.10 Understand and apply threat modeling concepts and methodologies
Threat Modeling is where potential threats are identified, categorized and analyzed. Includes frameworks like STRIDE and DREAD
Microsoft STRIDE Threat Categorization:
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of privilege
Damage – how bad is the attack?
Reproducibility – how easy to reproduce attack?
Exploitability – how hard to launch attack?
Affected users – how many people would be affected?
Discoverability – how easy to find the threat?
Types of attackers
Hacker - Black, White, and Gray
Outsiders – make uo 48-62% of attackers
Means 28-52% of attackers are internal, either maliciously or unintentionally
Script Kiddies – little or no coding knowledge, but have knowledge or access to hacking tools. Just as dangerous as skilled hackers.
Hacktivists – socially motivated, political motivation. Include organizations like Anonymous who are known for DDoS-ing Visa, Mastercard and PayPal to protest the arrest of Julian Assange. Often aim to assure free speech, etc
State-Sponsored Hackers – often see attacks occurring during normal work hours. Essentially a day job. 120 countries have been using internet as a weapon. Include attacks like Sony (N. Korea), Stuxnet (US/Israel), etc
Malware propagates through four main techniques:
Boot sector infection
Anti-malware detects foul play primarily through signatures and heuristic-based methods
LOKI – ICMP traffic with commands hidden in it. Not so effective in 2019
Smurf Attack – Type of DDoS attack. ICMP packets with spoofed IP. The responses are all redirected to the victim
Fraggle Attack – Similar to Smurf attack, but uses UDP.
SYN Flood - succession of TCP SYN requests without ever completing the 3 way handshake. Goal is to consume all a server’s available memory.
LAND Attack – packet with the same source and destination address
Tear Drop – overlapping fragments, causing OS to get confused and crash.
Use a firewall that does fragment re-assembly
Replay Attack – traffic is intercepted in a MITM attack, and resubmitted at a later time. Time stamping messages is a simple countermeasure.
1.11 Apply risk-based management concepts to the supply chain
Supply Chain – US Trusted Foundry ensures that companies that produce and supply hardware are themselves secure